I’ve got a service running inside a docker container. I’ve built my own image based on
nginx:stable-alpine docker image.
I am trying to ascertain whether the concept of CIS hardening applies to the container itself or just the host OS where the container is running. (I am not interested in the host itself as that is already CIS hardened by the hosting provider)
Had a couple of suggestions such as https://github.com/docker/docker-bench-security and https://github.com/dev-sec/cis-docker-benchmark but these again only seem to apply to the Host OS where docker is running. the nginx alpine image does for example contain some sample confs and html which should be removed according to CIS hardening rules.
Are there any scripts or tools i can run that can report on whether there are other aspects of the container that need to be hardened in the Dockerfile to ensure the container is CIS compliant? ideally i’d like to avoid having to prove every point in the CIS hardening spec manually. I have found this but its 3 years old script and i cant be confident that its maintained.